Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
Version 4.1.6 bug fixes
Configuration backups - Trusted Platform Module (TPM)
Support reference 79671
During the backup of a configuration with the privatekeys parameter set to none (this parameter can only be modified via CLI/Serverd command: CONFIG BACKUP), private keys stored in ondisk mode on the TPM are no longer wrongly decrypted.
Support reference 79671
Multiple configuration backups can no longer be launched simultaneously or too close apart, so private keys stored in ondisk mode on the TPM will no longer be wrongly decrypted.
Filtering and NAT
Support reference 79526
Whenever a group contained 128 or more objects with at least one that had a forced MAC address, rules that used this group would no longer be applied when traffic matched them. This issue has been fixed.
Support references 80043 - 79636 - 80412 - 80376 - 79771
When a time object was enabled or disabled, the re-evaluation of connections that match the filter rule containing this time object no longer cause the firewall to unexpectedly restart.
Support references 79957 - 80108
Configurations that use multi-user authentication would sometimes fail to fully load web pages that embed CSP (content-security-policy) directives. This issue has been fixed.
Support reference 81624
In configurations that use multi-user authentication, the application of "img-src https://*" CSP (content-security-policy) directives would sometimes cause the proxy service to unexpectedly restart. This issue has been fixed.
Support reference 79858
An issue with competing access when saving new connections via the proxy has been fixed. This issue would cause the firewall to unexpectedly shut down and switch the roles of the members in a high availability configuration.
Support reference 78196 - 79813 - 81759
The proxy would sometimes restart unexpectedly after queuing e-mails and receiving an SMTP 421 error from the server. This issue has been fixed.
Support reference 79584
In configurations that meet all the following conditions:
- HTTP proxy is used,
- Kaspersky antivirus is enabled,
- URL filtering is enabled.
Sending several HTTP requests through an internet browser within the same TCP connection (pipelining) no longer causes the proxy to suddenly restart.
Support reference 77207
The SSL proxy would sometimes restart when all of the following conditions occurred:
- An SSL filter policy applied a “Pass without decrypting” action when a CN could not be categorized,
A connection matched this rule (“Pass without decrypting”) because the classification of the CN failed.
- A simultaneous connection to the same website was classified with the action “Block without decrypting”.
This issue has been fixed.
The errors that occur when the passive member of the cluster is updated are now correctly shown in the firewall’s web administration interface.
Support reference 80426
System event no. 19 "LDAP unreachable" is activated again when there are issues accessing an LDAP directory defined in the firewall configuration.
Support references 77226 - 78235
The OID "SNMPv2-MIB::sysObjectID.0", which made it possible to identify the type of device queried, presented the default net-snmp value instead of the Stormshield value. This anomaly has been fixed.
Support references 80036 - 77779
Excessive memory consumption issues that caused the SNMP agent service to unexpectedly shut down have been fixed.
Regular CRL retrieval
Support reference 81259
When an explicit proxy is defined on the firewall with a specific network port, the mechanism that regularly retrieves CRLs now correctly uses the port of the explicit proxy to access the Internet.
LDAP directory - Backup server
Support reference 80428
In an LDAP(S) configuration defined with a backup server, when:
- The firewall switched to the backup LDAP(S) server because the main server stopped responding, and
- The backup server also does not respond,
The firewall will then immediately attempt to connect to the main server again without waiting for the 10-minute timeout defined in factory settings.
External LDAP directory
Support reference 81531
After an external LDAP directory was created and made accessible via a secure connection, enabling the option Check the certificate against a Certification Authority and selecting a trusted CA no longer cause an internal error on the firewall.
IP address reputation and geolocation service
Support reference 81048
In some cases, the IP address reputation and geolocation service would unexpectedly shut down after competing access that occurs when a configuration is reloaded. Even when it was automatically restarted, service could still be disrupted. This issue has been fixed.
Support reference 77980
An anomaly relating to the IP address reputation and geolocation service would sometimes result in memory corruption, which would cause the firewall to unexpectedly restart. This issue has been fixed.
Static routing and IPsec VPN
Support reference 80862
In policy-based IPsec VPN configurations (non-VTI), whenever a static route was created for the remote network via the IPsec interface, traffic was not encrypted and sent to this network as it was supposed to be. This issue has been fixed.
Bridge - MAC addresses
Support reference 80652
On interfaces attached to a bridge, when a network device is moved and the network traffic that it generates is no longer linked to the same physical interface, the firewall automatically maps the MAC address of the device to the new interface once a Gratuitous ARP request is received from the new device.
This switch was not correctly applied whenever the MAC address was different after the network device was moved This issue has been fixed.
SMB - CIFS protocol
Support references 77484 - 77166
Anomalies in the SMB - CIFS protocol analysis would wrongly raise the "Invalid NBSS/SMB protocol" blocking alarm (nb-cifs alarm:158) during legitimate access to shared Microsoft Windows disk resources. These anomalies have been fixed.
Serial numbers of VPAYG firewalls
Support reference 76157
The high availability monitoring mechanism did not recognize serial numbers of VPAYG firewalls (serial number of the firewall, to which an extension such as "-XXXXXXXX” is added). This issue has been fixed.
Configuration via USB key
Support references 79645 - 79283
Whenever a firewall is configured via USB key, an information message now appears in the console and a waiting period of two minutes is initiated when the USB key needs to be removed to continue ongoing operations (firmware updates, connecting a firewall to a cluster, etc.). Removing the USB key suspends the counter.
This mechanism makes it possible to prevent key decryption errors on firewalls equipped with a TPM (SN3100 and SNi20).
Web administration interface
Filtering and NAT - Geolocation and public IP address reputation
Support reference 80980
When a geographic group or a public IP address reputation group is used in a filter/NAT rule, the tool tip that appears when the user scrolls over the group no longer wrongly displays “Object not found”.